Potential Perl Reverse Shell Execution

Aug 12, 2024 · attack.execution ·

Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity

Sigma rule (View on GitHub)

 1title: Potential Perl Reverse Shell Execution
 2id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
 3status: test
 4description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
 5references:
 6    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 7    - https://www.revshells.com/
 8author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
 9date: 2023-04-07
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: linux
15detection:
16    selection_img:
17        Image|endswith: '/perl'
18        CommandLine|contains: ' -e '
19    selection_content:
20        - CommandLine|contains|all:
21              - 'fdopen('
22              - '::Socket::INET'
23        - CommandLine|contains|all:
24              - 'Socket'
25              - 'connect'
26              - 'open'
27              - 'exec'
28    condition: all of selection_*
29falsepositives:
30    - Unlikely
31level: high

References

Reverse Shell Cheat Sheet

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...

Read More
Online - Reverse Shell Generator

Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.

Read More

Potential Perl Reverse Shell Execution

Sigma rule (View on GitHub)

References

Reverse Shell Cheat Sheet

Online - Reverse Shell Generator

Related rules